Abstract: Implementations of PDB Sandboxing in layers and mapping to different operating systems are described. In exemplary implementations, one or more pluggable databases (PDBs) are encapsulated on common container databases to form one or more PDB sandboxes. Encapsulating PDBs forms an isolation boundary layer configured to dynamically regulate security and isolation of the PDB sandboxes. Access by processes and resources to and from the PDBs inside respective PDB sandboxes through the isolation boundary layer, and access within PDB sandboxes, is regulated using dynamic access processes that dynamically vary access to resources and process disposed within and external to the PDB sandboxes.

Abstract: Implementations of PDB Sandboxing in layers and mapping to different operating systems are described. In exemplary implementations, one or more pluggable databases (PDBs) are encapsulated on common container databases to form one or more PDB sandboxes. Encapsulating PDBs forms an isolation boundary layer configured to dynamically regulate security and isolation of the PDB sandboxes. Access by processes and resources to and from the PDBs inside respective PDB sandboxes through the isolation boundary layer, and access within PDB sandboxes, is regulated using dynamic access processes that dynamically vary access to resources and process disposed within and external to the PDB sandboxes.

Abstract: A secure windowing service is disclosed. When the windowing service receives an indication that a second client (executing in a second container) wishes to be given access to a set of windowing information provided by a first client (executing in a first container), the windowing service determines, based upon sensitivity labels associated with the first and second containers, whether the second client should be given access to the windowing information provided by the first client. By making this determination, the windowing service in effect implements information access control. This information access control helps to ensure that windowing information is not improperly passed from container to container.

Abstract: A mechanism is disclosed for implementing file access control using labeled containers. With this mechanism, it is possible to implement file access control without storing a sensitivity label with each file, and without checking a sensitivity label each time a file is accessed. Rather, by virtue of the manner in which the containers are labeled, and the manner in which a portion of the file system of one container is incorporated into the file system of another container, file access is effectively controlled. Thus, with this mechanism, it is possible to implement file access control simply and efficiently.

Abstract: A mechanism is disclosed for enabling a network address to be shared by multiple containers. By allowing multiple containers to share a network address, a limit on network addresses does not limit the number of containers that can be implemented. Despite the fact that the network address is shared by multiple containers, the uniqueness and isolation of each container is still maintained. In one implementation, this is achieved by associating a unique label with each container. With this unique label, it is possible to forward a packet destined for the shared network address to a specific container despite the fact that multiple containers share the same network address. Thus, with this mechanism, it is possible to achieve container isolation and uniqueness without limiting container scalability.

Abstract: A mechanism is disclosed for enabling labeled containers on different host machines to share file system portions. Before a process in a first container on a first host machine is allowed to access a file in a file system contained within a second container on a second host machine, a check is performed to determine whether a first sensitivity label associated with the first container is either identical to or dominates a second sensitivity label associated with the second container. If either is true, access to the file is granted. If the first sensitivity label is neither identical to nor dominates the second sensitivity label, access to the file is denied. By controlling access in this way, it is ensured that only containers with identical or higher sensitivity labels will be allowed to access the file. This in turn allows files to be shared by multiple containers without compromising security.

Abstract: A secure operating system is disclosed in which all code implementing security functionality resides in a security module separate from the operating system code. Calls involving security functions are made using a format or interface which is standardized for all systems. Such a call identifies, inter alia the response and the access mode which are used to identify a call in a two dimensional table which contains a pointer to the needed security functions. In the way security functions are separately compilable and security solving changes can be made by linking in a new security module. Maintenance of security code is separated from maintenance of the underlying operating system.